VMware ESXi hosts run a Syslog service (vmsyslogd) that provides a standard mechanism for logging messages from the VMkernel and other system components. By default in ESXi, these logs are placed on a local scratch volume or a ramdisk. To preserve the logs further, ESXi can be configured to place these logs to an alternate storage location on disk and to send the logs across the network to a Syslog server.
Retention, rotation, and splitting of logs received and managed by a Syslog server are fully controlled by that Syslog server. ESXi cannot configure or control log management on a remote Syslog server. Additionally, forwarding specific log files (e.g. hostd.log or vmkernal.log) to the Syslog server is unsupported. For more information, see the documentation for that specific Syslog server.
There are five configurable ESXi Advanced Options:
Syslog.global.logDir
[DatastoreName] DirectoryName
which maps to /vmfs/volumes/
<DatastoreName>/<DirectoryName>/
.Internal error
" in the UI and "Logdir must exist and be a directory
" error message in log file ESXi - /var/run/log/hostd.log.Syslog.global.logHost
-
tcp://hostname:514
udp://hostname:514
ssl://hostname:1514
.Syslog.global.logDirUnique
-
logDir
.false
.Syslog.global.defaultRotate
-
Syslog.global.defaultSize
Note: To individually set the options for system components such as auth, hostd etc., select the loggers under syslog from the vSphere client GUI in Advanced System Settings, and set to desired value (e.g. for hostd, Syslog.loggers.hostd.rotate
and Syslog.loggers.hostd.size
).
esxcli
commandLocal and remote syslog functionality can be configured for a host using the esxcli
command line utility, which can be used at the console of an ESXi host, in the vCLI, or in the vMA.
esxcli
command is available, such as the vCLI or on the ESXi host directly.esxcli system syslog config get
esxcli system syslog config set --logdir=/path/to/vmfs/directory/ --loghost=RemoteHostname --logdir-unique=true|false --default-rotate=NNN --default-size=NNN
esxcli system syslog config set --loghost='tcp://<syslog_server_IPv4>:514'
esxcli system syslog config set --reset=loghost
esxcli system syslog reload
nc -z <RemoteHostname> 514
nc -z 10.11.12.13 514
Local and remote syslog functionality can be configured for a cluster of similar hosts using Host Profiles. For more information, see Set Up Syslog from the Host Profiles Interface.
esxcli
or advanced configuration options and captured this as a reference host, the 5 configuration options are already visible under the Advanced Configuration option section.Local and remote syslog functionality can be configured for a host using advanced configuration options, which can be set using the vSphere Client, vSphere Web Client, PowerCLI, or vCLI.
This configuration cannot be performed using the local console's esxcfg-advcfg
command. For more information on setting advanced configuration options using each method, see Configuring advanced options for ESXi/ESX.
Note: If the ESXi host loses communication with the remote syslog server, logging is no longer pushed to the syslog server. This can be confirmed by reviewing the ESXi - /var/log/.vmsyslogd.err file and confirming the log message "failed to write log
" error. Nothing is sent to the remote syslog server until the syslogd
service is restarted.
esxcli
command/syslog port:esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh
esxcli system syslog mark --message "Syslog Test Message"
With ESXi 8.0 Update 2b, when configuring syslog remote hosts, or loghosts, with non-standard ports, the vmsyslogd service automatically creates persistent dynamic firewall rules. It is no longer needed to manually open the firewall at ports that are different from the default 514 for TCP/UDP and 1514 for SSL protocols respectively. When configuring remote hosts with the standard ports, it is still required to enable the syslog firewall ruleset.
Refer to VMware ESXi 8.0 Update 2b Release Notes.
Example
esxcli system syslog config set --loghost=tcp://#.#.#.#:12345
esxcli network firewall ruleset rule list | grep dynamic
Note: For versions prior to ESXi 8.0 U2b, if a custom syslog port is needed, the method for opening the port is to use a partner-created VIB. See Creating custom firewall rules in VMware ESXi is not supported for more information.